Some Lenovo laptops install software even after you clean install Windows (but there’s a fix)

Most computers that ship with Windows also ship with some third-party software installed by the PC maker. Some of that software can be useful, including drivers for touchpads, cameras, wireless cards, and other hardware. Some is less useful, including pre-installed free trial security or office software.

You’d think that one way to get rid of all those apps would be to completely re-install Windows. But if you have a recent Lenovo laptop, that might not be enough: because as some users have noticed, Lenovo included a tool in the BIOS on many of its laptops that automatically replaces a Windows system file and causes the computers to download Lenovo’s software.

Theoretically, Lenovo’s software could provide a way to make sure your computer has all the software it needs to run properly. Microsoft allows PC makers to do this sort of thing.

So why is Lenovo letting users disable the service? Because it’s also been identified as the source of a security vulnerability, since it opens the door for someone to install malware on your computer.

It’s worth noting that Lenovo could have opted to patch the security vulnerability and continued replacing Microsoft’s updater with its own software. But instead the company chose to issue a patch that disables the process altogether.

Share this:

Liliputing’s primary sources of revenue are advertising and affiliate links (if you click the “Shop” button at the top of the page and buy something on Amazon, for example, we’ll get a small commission).

But there are several ways you can support the site directly even if you’re using an ad blocker and hate online shopping.

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Great, superfish for the bios

Vote Up0Vote Down Reply

3 years ago

Guest

James

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Wow, this means Lenovo doesn’t learn from the past. I really don’t want to buy a Lenovo PC including their ThinkPad and ThinkStation brands (who knows what really is “included” despite their claims about their business line).

Lenovo == Shady

Vote Up0Vote Down Reply

3 years ago

Guest

jimberkas

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

wth, Lenovo…this will probably make me not buy and Lenovo or Zuk phones either. this can’t possibly be worth it to them

Vote Up0Vote Down Reply

3 years ago

Guest

Simon Wood

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Let’s be clear what is going on here. Lenovo is/was abusing the WPBT table which is ‘supposed’ to let PC manufactures install required drivers. The table details a location in memory where an application can be download from – it does need to be appropriately signed/timestamped, but then Windows will happily run it.

So there are a number of potential problems:
1). _Any_ BIOS can include this WPBT in ACPI list at any time in the future… maybe after a secret knock on the network interface.
2). The table includes space for additional command parameters, which aren’t signed.
3). It’s not like the security researchers haven’t already been flashing network cards to mess with ACPI tables/values.
4). It’s probably not hard to find a signed binary to include; just tailor it’s operation with the command parameters.

I think that Lenovo may have accidentally lifted the lid on a whole new class/round of malware…

Vote Up0Vote Down Reply

3 years ago

Guest

David

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

If it is as you describe it, an easy to abuse/exploit hole in Windows, then the real villain here is (once again) Microsoft – for providing this hole in the first place. Yes Lenovo is Evil too. But as long as you leave your door unlocked, sooner or later some unwanted person is going to walk through it. Microsoft left that door unlocked.